A phishing attack on AU Medical Center and Augusta University has potentially breached the data of a limited number of patients, the organization announced on Friday -- five months after the incident occurred.

Hackers gained access to the email accounts of two employees between April 20 and 21. While AU didn’t report when the phishing incident was first discovered, the investigation into the breach ended on July 18.

Upon discovering the breach, officials said access to email accounts was disabled and passwords were reset. The investigation couldn’t confirm if any information was accessed or copied by the cybercriminals.

The number of patients affected is not yet listed on the U.S. Department of Health and Human Services’ Office of Civil Rights’ breach reporting tool, but AU officials said it was less than 1 percent of its patients.

This is the second time AU has fallen victim to phishing attacks. AU reported a phishing attack in September 2016, which resulted in the loss of similar data. However, the investigation into the attack wasn’t completed until March 2017 -- six months after the incident.

The most recent breach highlights an ongoing issue with healthcare organizations: timely breach reporting. HIPAA requires all organizations to report breaches 60-days within time of discovery.

In January, Presence Health was fined $475,000 by OCR for failing to report a breach in a timely manner.